PoSeidon: New Malware Family Targets Retailers’ Payment Systems

Security researchers have discovered a new family of sophisticated point-of-sale (PoS) malware, capable of stealing credit and debit card data from retailers’ payment systems.

Dubbed “PoSeidon,” the malware program scrapes memory from infected machines in search of valid credit card information, and stealthily exfiltrates the data to servers – the majority of which are hosted on Russian (.ru) domains.

“At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot,” explained the researchers in a blog post.

Source: Talos

The loader then contacts a command and control (C&C) server, which responds by sending a URL containing another binary, FindStr, to download and execute. A keylogger is installed, and begins scanning the memory of the PoS device for number sequences of potential credit card numbers.

Next, the numbers are verified as payment card numbers using the Luhn algorithm. Keystrokes and credit card numbers are then encoded and sent to an exfiltration server.

According to the security researches, the keylogging feature could have been used to steal passwords, and may have been the initial infection vector.